UNC2891 ATM Fraud Campaign Targets Indonesian Banks
Summary
Hide ▲
Show ▼
UNC2891, a threat group, conducted a multi-year ATM fraud campaign against two Indonesian banks, involving Raspberry Pi-based ATM infiltration, money mule recruitment, and sophisticated malware. The group executed three attacks between 2022 and 2024, using the STEELCORGI packing tool and advanced tools like CAKETAP rootkit to bypass ATM verification. The campaign included extensive money extraction networks and anti-forensic techniques to evade detection. The group compromised over 30 systems at Bank A in February 2022, demonstrating persistent access and sophisticated attack methods.
Timeline
-
20.11.2025 18:00 1 articles · 23h ago
UNC2891 Conducts Multi-Year ATM Fraud Campaign Against Indonesian Banks
UNC2891 executed three attacks between 2022 and 2024 against two Indonesian banks, using sophisticated malware and money mule networks. The group employed advanced techniques like CAKETAP rootkit for PIN bypass and maintained persistence with custom backdoors. The campaign involved extensive money extraction networks and anti-forensic measures to evade detection.
Show sources
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00
Information Snippets
-
UNC2891 conducted three attacks against Bank A (February 2022, July 2024) and Bank B (November 2023).
First reported: 20.11.2025 18:001 source, 1 articleShow sources
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00
-
The group used STEELCORGI packing tool across all three attacks.
First reported: 20.11.2025 18:001 source, 1 articleShow sources
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00
-
UNC2891 recruited money mules via Google ads and Telegram channels, providing them with cloned card equipment.
First reported: 20.11.2025 18:001 source, 1 articleShow sources
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00
-
The group developed CAKETAP rootkit to intercept and replace PIN verification messages, bypassing ATM verification processes.
First reported: 20.11.2025 18:001 source, 1 articleShow sources
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00
-
Persistence was maintained using TINYSHELL, SLAPSTICK, and SUN4ME malware components.
First reported: 20.11.2025 18:001 source, 1 articleShow sources
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00
-
UNC2891 used LOGBLEACH and MIGLOGCLEANER for log-wiping and planted init scripts for automatic reboot persistence.
First reported: 20.11.2025 18:001 source, 1 articleShow sources
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00
-
The group compromised over 30 systems at Bank A during the February 2022 incident.
First reported: 20.11.2025 18:001 source, 1 articleShow sources
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00